Microsoft, Lenovo Collaborate to Squash Superfish Security Bug
Microsoft (MSFT) said that it collaborated with Lenovo and Superfish to eradicate malware associated with the developer’s ad-injection software the PC maker pre-loaded onto thousand of its machines late in 2014, rendering them vulnerable to malicious man-in-the-middle attacks.
Superfish isn’t your garden-variety bloatware. It installs a self-signed root HTTPS certificate so when a user visits an HTTPS site, the site certificate is signed and controlled by Superfish, representing itself falsely as the official website certificate.
Microsoft’s security team said in a blog post that it used its new Superfish search-and-destroy tool from its Malicious Software Removal platform that reduced the number of Lenovo PCs infected with the malware over a two-week period ending March 4 from a high of 60,000 daily to 3,000 a day and subsequently to about 1,000 each day.
Based on a graph Microsoft provided showing the number of Superfish infections eradicated from Feb. 20 – March 4, roughly speaking, it appears the vendor removed the malware from about 250,000 Lenovo systems.
“Microsoft worked with Lenovo and Superfish to add detection with a root trust repair solution for Superfish to our real time protection products on February 19,” the company said in a blog post. “At the same time, we shared detection guidance through our MAPP and VIA partner programs to drive an industry cleanup. Our cleanup targets Lenovo machines as this is the only place the vulnerable version of Superfish is encountered.”
While it’s not clear if Microsoft’s adware removal tools or Lenovo’s or another vendor’s mostly was responsible for removing the Superfish invasion, at the very least a collaborative assault appears to have done the trick.
Just in case you forgot the details of Lenovo’s Superfish debacle, after years of seemingly doing everything right, Lenovo pre-installed the Superfish adware on some of its consumer laptops from last September to December, opening an uber-invasive superhighway for attackers to steal users’ encrypted Web data or stored online passwords.
At first the company astonishingly claimed it didn’t know that the Superfish adware is constructed to hijack encrypted Web sessions, insisting that installed the Superfish software to enhance the online shopping experience for users.
But when overwhelmed by an onslaught of heavy criticism from security experts, Lenovo acknowledged it hadn’t done its due diligence prior to pre-installing Superfish, and eventually followed up with a removal tool for users to gut the Superfish from their systems.
What followed was a series of mea culpas, apologies and concerted efforts by the company to right the wrong and regain the trust of its customers.